Security Bulletin for MiVoice Business Express (MiVB-X) SECURITY BULLETIN ID: 15-0012-004 RELEASE VERSION: 1.0 DATE: 2016-02-01 SECURITY BULLETIN 15-0012-004 V1.0 OVERVIEW This security bulletin provides product-specific details on the vulnerability described in Mitel Security Advisory 15-0012. Visit http://www.mitel.com/security-advisories for more details. Multiple vulnerabilities have been identified in specific versions of Oracle Java. The reported issues have varied levels of risk, where some of which were rated as high. Details for some issues are undisclosed by the vendor. As a precautionary measure, Mitel is updating products to use unaffected versions of Java. The corresponding CVEs are identified in this Security Bulletin; customers are advised to consult these CVEs and vendor references for technical details. APPLICABLE PRODUCTS This security bulletin provides information on the following products: PRODUCT NAME VERSION(S) AFFECTED SOLUTION(S) AVAILABLE MiCollab with Voice (MiCV) MiCV 6.0 SP1 & SP2 (126.96.36.199, 188.8.131.52, 184.108.40.206) MiVoice Business Express (MiVB-X) 7.0 (220.127.116.11) OVA RISK / EXPOSURE The following CVEs are potentially applicable to NPM (listed in order of ID): CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4842, CVE-2015-4843, CVE-2015-4860, CVE-2015-4872, CVE-2015-4883, CVE-2015-4893, CVE-2015-4903, CVE-2015-4911 Due to the limited information, Mitel’s ability to confirm applicability and resolution is limited, and is therefore relying on the vendor’s assertion. The aforementioned CVEs have varied levels of risk. Please consult the CVEs for additional details. MITIGATION / WORKAROUNDS No workarounds are available. Mitigation is available through a newer version of MiVoice Business Express 7.0 software (18.104.22.168) in the form of an OVA that can be deployed to a VMWare Environment. For Hyper-V type deployment, the software ISOs can be downloaded from MOL. PATCH INFORMATION A new release of MSL is available, which provides an updated Java runtime environment, as well as other fixes. Customers are advised to update to MSL 10.1.47.0 or higher. Alternatively, customers can update MiVoice Business Express to an unaffected version. Customers are advised to contact Product Support for more information. © Copyright 2016, Mitel Networks Corporation. All Rights Reserved. The Mitel word and logo are trademarks of Mitel Networks Corporation. Any reference to third party trademarks are for reference only and Mitel makes no representation of the ownership of these marks.